Vulnerability Details : CVE-2017-3137
Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8.
Products affected by CVE-2017-3137
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:6.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.10:beta1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.0:p3:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.5:b1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.10.4:p6:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:s8:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.1:b1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.9.9:p6:*:*:*:*:*:*
- cpe:2.3:a:isc:bind:9.11.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
Threat overview for CVE-2017-3137
Top countries where our scanners detected CVE-2017-3137
Top open port discovered on systems with this issue
53
IPs affected by CVE-2017-3137 375
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2017-3137!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2017-3137
34.71%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-3137
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Internet Systems Consortium (ISC) |
CWE ids for CVE-2017-3137
-
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-3137
-
https://security.netapp.com/advisory/ntap-20180802-0002/
April 2017 ISC BIND Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.securitytracker.com/id/1038258
BIND CNAME/DNAME Record Processing Bug Lets Remote Users Cause the Target Service to Crash - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.debian.org/security/2017/dsa-3854
Debian -- Security Information -- DSA-3854-1 bind9Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1583
RHSA-2017:1583 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1105
RHSA-2017:1105 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:1582
RHSA-2017:1582 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/201708-01
BIND: Multiple vulnerabilities (GLSA 201708-01) — Gentoo securityThird Party Advisory
-
http://www.securitytracker.com/id/1040195
BIND Recursion Processing Error in 'netaddr.c' Lets Remote Users Cause the Target 'named' Service to Crash - SecurityTrackerThird Party Advisory;VDB Entry
-
https://kb.isc.org/docs/aa-01466
CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME - Security AdvisoriesVendor Advisory
-
https://access.redhat.com/errata/RHSA-2017:1095
RHSA-2017:1095 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/97651
ISC BIND CVE-2017-3137 Remote Denial of Service VulnerabilityThird Party Advisory;VDB Entry
Jump to